Do they though?

I have had my email address published on my website in a <a href="mailto:… for like 20 years and I don't get spam that would get through the spam filter.

I use both Gmail and (for some other addresses) a webmail hosted by a local company which uses some other filter. Both work well, so it's not something only Google can do.

I definitely recall in the early 2000's it absolutely did lead to spam, and e-mail obfuscation techniques were a real thing that genuinely helped.

But by 2015 or so it didn't matter at all anymore, in my personal experience. It didn't even lead to spam that needed to filtered. Spammers just stopped looking for e-mails that way.

Which makes perfect sense -- most people don't have their e-mail address listed anywhere online in the first place, but you can purchase gigantic lists of e-mail addresses. That either originate from companies that sell their own user lists, or people who hacked the companies' servers.

These days if you want to send spam, trawling the web for e-mails makes zero sense. It's practically the least efficient thing you could do.

The email address on my website doesn’t even get stuff that goes to the spam filter. Nothing, nada zilch.

I do think that there are some mailing lists that get generated by trying to guess emails, brute-forcing gmail addresses by trying dictionary attacks of the FIRSTNAME.LASTNAME variety or 1–10 letters. I get a tiny amount of spam sent to a domain@domain.com address I have, but that’s typically on the order of one message a year.

And all else aside, the overall volume of spam email has declined dramatically, even ignoring the effect of the gmail spam filter. I’m guessing that email as a spam vector just doesn’t make sense anymore and most of what goes out is a mix of 419 scammers trying to make their quotas and would-be scammers who’ve been scammed into buying that 20-year-old list of emails.

Also this was a time when mail boxes were often allocated 10-25 megabytes. So spam bots could easily flood your email.

Then on April 1st, 2004 Google launched wasn't an April 1st joke... GMail with 1GB! I remember getting a beta invite and inviting others.

The spam I get is rather mis-targeted. For a while I was getting spam for equipment which would be useful were I a bulk producer of olive oil. "We have 15 years of experience in the research, development and production of automatic edible oil filling equipment...." There are the usual fake financing deals: "We’ve pre-approved your business for financing..." Whatever sends that crap doesn't look at the web site at all.

When I get spam from Gmail or Outlook accounts, I report it, so they will get a strike against their account. I don't hear from those people again.

All other spam is so obviously bogus that simple filters are dumping it into a junk folder. Most of it seems to be phishing emails. "You have won a (some tool)..." seems to be popular this week.

Instagram/Meta’s customer support is absolutely atrocious and disgraceful on this front. They basically treat my wife like she’s also a spammer and there’s no way to recover the account or undo any of the changes the spammers made.

It’s hilarious how they ask you to “appeal” a ban by clicking a single button without giving any chance to rectify what the spammers did to her account. Of course their automated bots just reject your appeal almost instantly. Shameful.

You can get it back by paying off a Meta employee through a site like Swapd. It's either that or get your comment to the front page of HN. Those are the only two customer support channels for Meta or Google.

An almost tin-foil hat wearing colleague of mine went on loudly and proudly about how he'd never give HIS phone number to Google, oh no! Not him!

I just had to say, "John, they have it - you're in my contact list."

He hadn't even considered that.

My email address: Listed at the top of the front page. In a H3 tag.

This email address's spam problem: Not a problem. 15ish per day get to me including Junk folder. Thanks Purelymail.

What is a problem: Transactional email unrelated to transactions, Promotional email which is newsletter junk spam, Social networks complaining of not being used.

This is my biggest one. I get more spam from Facebook begging me to log in than I do from almost anything else. I haven't used the account in about 7 years, you'd think they'd figure it out.

Cost of sending spam: Effectively zero.

Cost of pissing off inactive user: Essentially zero.

Cost of convincing inactive user to come back: Positive.

Add in a bunch of other factors like some product manager twisting stats to make it look like they are getting users back even if they really aren't and you see why it happens.

NoScript on Firefox with default settings don't render <object> tags (replaces them with placeholders), so this technique doesn't work here.

https://imgur.com/2tCAgAf

The article uses "Email us!" as the label on the svg and a elements, which effectively hides the actual email address from screen readers. Using aria labels in this way is a really bad practice, a screen reader user should have the same experience as anybody else unless there's a very good reason to do otherwise, and if you think your reason is a good reason, you're probably wrong.

The proper way to do this would be to put the actual email address in the labels,.

There's a reason that many end-to-end testing experts recommend writing selectors based on accessibility labels instead of CSS classes or IDs, especially if you're using a library like Styled Components.

If the scrapper is searching the DOM rather than simply downloading the webpages, then the email will found regardless.

That point might be academic anyway as I'm not sure Dragon would activate a link inside an SVG

<span class="contact-email">rea<span class="hidden">nospam</span>l@mai<span class="hidden">sjs</span>l.com</span>

I still receive "spam" tho, but it seems they manually collected the email because what I receive are B2B proposals clearly targeted at the topic of my website.

There are a fair few sites, where most all content is perfectly readable without JS, except things like "1920x1080@60Hz" are displayed as literal "[email protected]" text.

Do you have one on hand? That sounds absurd and I've never seen it

Unless you change your email address at least monthly, all it takes is for one person or company to share your contact with someone else or enter it into a database/CRM, or one service to get breached, then your email address is on a list that eventually gets propagated to every spammer worldwide. If you use that email with any regularity, the chance of those things happening can be rounded up to 100%.

If hiding your email address from scrapers actually worked, spam wouldn't exist. I never published my personal contact anywhere, yet I get dozens of spam emails per week. They all get filtered as spam, it's not a big deal.

The fact that SVGs can even have JS embedded feels both untapped and kind of dangerous.

This is super far out of my wheelhouse technically as a backend engineer but it sounds really cool.

Granted, this may depend on email provider and spam filter, so YMMV, but it hasn't been an issue for me.

However, if you have a headless browser setup for scraping, and simply fetch the current URL while on the page[0], you can get the plain text, and do a regex search for email addresses which will get you the email address - albeit this is a strange approach to take I admit.

[0]: fetch('./').then((res) => res.text()).then((text) => console.log(text))

Most basic scrappers, the ones that are not for your testing or devtools or automation or ... Actually use basic text, without any interpretation. They grep the source code, they don't run a dom and javascript engine, because it's a major difference in computing needs and speed.

I am not saying there is no evil scrapper doing dom evaluation, there are tons, I am reacting to your "FIRST line of defense", that one is scrambling the raw text, which is why we got there.

What parent is saying, is that this is trying to upgrade the defense that we have generated to stop the threat that evolved, but it forgot why we got there and thus makes itself vulnerable to the original threat.

This technique protects from a "neither here nor there" subset of programs, I wonder how large is that set in practice.

This is trivial to overcome for most basic scrapers and not much harder even if you try to obfuscate with paths for more sophisticated ones.

For a few years after that I did the "+" Gmail alias thing, to try to filter and catch companies. But I realised that's easy and obvious to strip, so it wasn't worth the effort (although I have caught PayPal leaking my email somehow).

But self-hosting email is an adventure I'm nervous to embark on.

I've been using similar aliases for years (paypal@domain.tld, ebay@domain.tld, etc), but make sure you have a contingency plan for when you're no more. I've received lots of account info from previous owners of the domain by setting up a catchall mailbox. We will obviously not care, but when someone takes over your account, they might use it to do harm to others (spam or fraud or whatever else).

Which is exactly what I do. As soon as I see spam sent to any particular email address, I know who it is that leaked the address and I can block it without issue.

>But self-hosting email is an adventure I'm nervous to embark on.

Why are you nervous about it? I've been doing so for decades and haven't had many issues at all. There are a bunch of all-in-one solutions like mailinabox[0] (I roll my own, but as I said, I've been doing this for decades) and others which would likely make things simpler for you. Go for it! You won't be disappointed.

[0] https://en.wikipedia.org/wiki/Mail-in-a-Box

I barely get spam and have a bigger issue with false positives in my spam folder. On the other hand I don't think there are many pages on the web that display my email address, so I'm curious about others' experience.

"Nine ways to obfuscate e-mail addresses compared

"When displaying an e-mail address on a website you obviously want to obfuscate it to avoid it getting harvested by spammers. But which obfuscation method is the best one? I drove a test to find out."

Until some bot dev sees this, accepts the challenge, and then solves it as a function within their package that never needs updating again because it is now done. So, live it up while it is not solved. After that, just shrug your shoulders at yet another idea no longer being useful

The rest is mice and traps.

For testing purposes, the nvda screen reader is free and open source. I'm not sure if there is a driver for it to have an api access to what it would output, but it might be a fun project to try for a11y testing purposes.

Not sure about desktop apps.

   {
     "model" : "gpt-4-turbo",
     "messages" : [ 
       {
         "role" : "system",
         "content" : [ {
          "type" : "text",
          "text" : "return a json array of all valid emails found in the image."
          } ] 
       }, 
       {
         "role" : "user",
         "content" : [ {
           "type" : "image_url",
           "image_url" : {
           "url" : "data:image/png;base64,{{ INSERT_BASE64_PNG_DATA }}"
         }
       } ]
     } ],
      "temperature" : 0.5,
      "max_tokens" : 2048,
      "top_p" : 1.0,
      "frequency_penalty" : 0.0,
      "presence_penalty" : 0.0
    }

    wget --recursive --quiet $BASE_URL && grep -roh 'mailto:\([^"]*\)'

I'm using voice over on MacOS chromium and I have the same experience as the NVDA user, although if I interact with the "link" I'll eventually find the email. If I wasn't aware of the ofuscation however I probably would just think the webpage was weird, saying "this is an email" but actually giving a mailto: link. In general, if you're doing something special to improve accessibility then odds are you're doing it wrong, and if it's anything web related the odds are at least 90%. Most accessibility issues on the internet are developers trying to be smart by using ARIA labels or such which usually just make it worse. The example I have to deal with most often are manpages on man.openbsd.org. All of their cross references to other manpages say something like "openssl, section 1" instead of "openssl(1)", which is what's displayed on the screen and what the browser's find command sees while searching.

For completeness, I also tried the page with various terminal browsers, specifically lynx, felinks, w3m, and edbrowse. None, and I mean NONE of them could display the svg properly, they couldn't even recognise it as an image.

    <object data="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20200%2024%22%3E%3Ca%20href%3D%22mailto%3Amyemail%40mydomain.tld%22%3E%3Ctext%20x%3D%2250%25%22%20y%3D%2250%25%22%20dominant-baseline%3D%22middle%22%20text-anchor%3D%22middle%22%3Emyemail%40mydomain.tld%3C%2Ftext%3E%3C%2Fa%3E%3C%2Fsvg%3E" type="image/svg+xml"></object>

  > Le 2 mai 2024 à 12:13, Geoffrey Callaghan <irishgeoff@yahoo.com>
  >
  > Hello there,
  >
  > Please don't shoot the messenger ( that's me don't shoot :)
  >
  > But you should not post your email address like that in its raw email format on the hacker news 
  >
  > You should use a tool like https://veilmail.io to hide your email address from spam bots :)
  > 
  > You can always go back and change your hacker news post with a veilmail address.
  > 
  > Have a nice day
  > 
  > Geoff

Spammers probably aren't going to update their tools to take into account every possible way every site obfuscates their email addresses, so the main trick to dealing with them would be to do something other sites/services don't. If you or your company become successful enough that people are actually targeting you in particular, then congrats, you're probably in a good place anyway.

But this is also sort of a security through obscurity approach, if enough people adopt one of these methods of obfuscation then the spammers absolutely will change their tools.

It's your domain, why not just have "contact@example.com" for incoming mail instead?

(Novel approach, thanks for sharing!)

While this obviously (re)introduces JS into the mix, how would a simple compressed string fare against base64 svg embedding?

``` const compressedBase64Svg = '...';

function decompressAndInsertSVG(encodedData) { const decodedData = atob(compressedBase64Svg); const decompressedSvg = decompress(decodedData); const svgContainer = document.getElementById('svgContainer'); svgContainer.innerHTML = decompressedSvg; }

decompressAndInsertSVG(encodedSVG); ```

My email addreas is danny@spesh.com. I get a lot of spam -- possibly, since I have been distributing that address deliberately on the web and inadvertently in hacked datadumps, a near maximum amount of spam.

But the benefits of having people easily find a way to contact me directly has for me far outweighed the (largely solved) challenge of discarding automated spam.

Publish your email address! It's okay! Very little bad will happen, and people will be able contact you without going through some strange social media intermediary!

https://haveibeenpwned.com/

45 data breaches and 7 pastes

Wow, I don't know if I've ever seen a real address in so many breaches haha

Personal anecdote: one morning, whilst still quite sleepy received a very well crafted Namecheap phishing expedition. I half knew the product they were claiming was lapsed was actually fine, but I had just recently renewed so I thought perhaps there had been a problem I missed, and it was convincing enough that I clicked the link before doing the normal sanity checks. Thankfully the address it went to didn't resolve. Hopefully I would have noticed the obviously incorrect URL before I entered any details, and I have 2FA enabled, but still, I should and do know better, it was just perfect timing for a well crafted attack...

<a href="&#109;&#x61;&#105;&#x6c;&#116;&#x6f;&#58;&#x73;&#111;&#x6d;&#101;&#x2e;&#100;&#x75;&#100;&#x65;&#64;&#x74;&#104;&#x65;&#46;&#x6f;&#116;&#x68;&#101;&#x72;&#100;&#x75;&#100;&#x65;&#115;&#x2e;&#115;&#x69;&#116;&#x65;">&#115;&#x6f;&#109;&#x65;&#46;&#x64;&#117;&#x64;&#101;&#x40;&#116;&#x68;&#101;&#x2e;&#111;&#x74;&#104;&#x65;&#114;&#x64;&#117;&#x64;&#101;&#x73;&#46;&#x73;&#105;&#x74;&#101;</a>

It just seems like this adds a couple of steps to existing crawler scripts.

Does the fact someone independently discovers Gauss method to sum up all the numbers 1...100 today make it worth sharing?

My point is that this is a primitive and easy to break workaround and better methods exist.

I appreciate the hacker creativity at display here, but as other said obfuscating an email address raises accessibility issues. Hiding content from some programs and not others (spam bots vs assistive technologies) seems inherently a losing game, for you or for users.

In my case, I setup an email alias with a sieve rule (if email sent to alias move to “public inquiry” folder). Prior to processing rule, spam assassin takes care of the non technical folks that couldn’t be bothered to run their spam campaign through spam assassin testers. Or even nontechnical folks that wouldn’t know how to setup their domain for sending email (spf, dkim, dmarc, …)

1 hour later.

Spam-scraper updated to support this.

I don’t think I got a single spam email in the last 5-10 years.

SMS, on the other hand…

So yeah, I wouldn't call this accessible.

first emails I received after the gmail welcome email were b2b sales from construction companies (i'm not in this field), shopify optimizations (i don't run one), agencies suggesting how i improve the ui/ux of my site (no website yet).

thankfully, they're all in the spam folder. i'm using google workspace.

i believe these spammers get their leads on newly-registered domains. so, how do we protect ourselves from that?

But they won't as soon as they realize it's just easy to parse text that contains data they're looking for.

I added `style="height: 2em"` to the `<object>` to fit it within my use-case. Should be able to adapt to current font size that way I think.

All you're doing I making it slightly more difficult for the people that want to contact you to do so.

OCR has been a thing for years.

Just put your email out there. That's what spam filters are for.

charles@geuis.com. There. Scrape it. Spam it. I don't care.

Edit:

Yes, thank you for signing me up for the DNC (already a member), some random Trump org, something about Scientology, and another random christian-based website. Honestly, I'm kind of sad at the lack of originality given the otherwise extremely ingenious community we have here.

While OCR does exist it's incredibly expensive compared to text scraping. The main way to combat spam is to make the cost of spamming more expensive than the benefit.

I was not aware that we could embed CSS in SVG.